TWSL2016-006: Multiple XSS Vulnerabilities reported for Zen Cart

Today Trustwave released a vulnerability advisory in conjunction with Zen Cart. Researchers from the SpiderLabs Research team at Trustwave recently found multiple Cross-Site Scripting (XSS) vulnerabilities in the popular online open source shopping cart application.

The vulnerabilities affect Zen Cart 1.5.4 and potentially prior versions. Zen Cart released a new version 1.5.5 that has fixes for the security issues reported. It is recommended to upgrade to this version, however Zen Cart has also released local patch in case upgrade is not possible right away. More details are provided below.

Vulnerability Information

Several Cross Site Scripting vulnerabilities were discovered in the admin section of Zen Cart and one issue in the non-authenticated portion of the application. Our researchers found both reflective and stored XSS in multiple parameters of number of requests. Malicious Cross-Site Scripting injections could result in access to cookies, sensitive information and site defacement, which can result into further attacks.

Vulnerability Discovery

While testing Trustwave App Scanner's newest improvements to Cross-Site Scripting SmartAttack, we started running the App Scanner on various popular open source tools. In this process we scanned Zen Cart, with it being simple to configure and a popular shopping cart application with considerable market share.

The credentials for the application and the URL were provided to Trustwave App Scanner, which then crawled through the multiple pages of the application. Once an optimized set of pages were crawled, the smart attacks were added and an assessment run which returned multiple vulnerabilities.

There were many advantages in running an automated solution in this scenario. The tool was able to scan hundreds of pages and parameters without any manual intervention. The improved Cross Site Scripting detection using dynamic analysis resulted in finding vulnerabilities quickly and accurately (Finding XSS Vulnerabilities More Quickly with Dynamic Contextual Analysis). Once an initial scan was setup and stored as a template, the same template could be reused as the patches were provided by the Zen Cart Team. No additional setup was necessary for running the subsequent scans.

Vulnerabilities Fixes

Trustwave responsibly disclosed these security issues to Zen Cart, and worked with Zen Cart team while the issues were being fixed. Zen Cart initially provided point patches that fixed all but one Cross-Site Scripting issue reported by Trustwave. Due to widespread nature of the numerous vulnerabilities we reported,we recommended that Zen Cart add global sanitization of input parameters. This input validation was eventually added and provided a more thorough solution. Further details about this can be obtained at http://docs.zen-cart.com/Developer_Documentation/v1.5.5/code_docs/admin_sanitization.

A single Cross-Site Scripting issue is still present in the application, but due to CSRF protection for the request, exploiting the issue would require Admin privileges for the application.

During the fixing phase, Trustwave verified multiple versions of intermediate patches provided by the Zen Cart team and advised them with some additional issues we found during this testing. Zen Cart team was responsive during this process and a joy to work with as a partner in responsible disclosure.